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1. SUMMARY 


CARE III is a reliability program designed for the assessment of fault- 
tolerant flight control systems. This program was developed by Raytheon 
under the direction of Or. J. J. Stiffler (NASA CR-3566). CARE III, Version 
3, the most recent Raytheon developed version of CARE III, was the version of 
the code used for this study. 

Under NASA funding and direction, BCS was to verify the mathematical model 
and code (Task 1) and test stress the program (Task 2). 

During this study, several problems with CARE III were identified. These 
problems concerned: 

• Mathematical Modeling 

• Numerical Procedures 

• Code Implementation 

• Use as a Design Tool 

A subset of these problems was identified which could be readily addressed. 
A number of code modifications (Tasks 3 and 4) are described in this 
document. The resulting code, delivered by BCS to NASA in February 1984, is 
referred to as CARE III, Version 4. The problems addressed under Tasks 3 and 
4 were: 

• MARKOV COVERAGE 

The coverage module in Version 3 was numerically unstable. For the 
special case of a Markov coverage model, one with constant transition 
rates, a numerically stable solution was implemented in Version 4 which 
is also highly efficient. This solution is described in Section 2.0. 

• SYSTEM FAULT TREE 

System failure due to spares exhaustion is represented in CARE III by a 
system fault tree. As implemented in Version 3, the calculation of 
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system unreliability does not completely represent the system fault 
tree. In particular, the contribution of coverage failure to the 
system unreliability may be neglected for some significant cases. The 
improved fault vector selection procedure for Version 4 is described in 
Section 3. 

• SUBRUNS 

CARE III has size limitations on the critical pair fault trees (70 
modules, 20 stages). To permit the handling of larger problems, the 
system may be broken up into SUBRUNS, which are combined for system 
assessment. As implemented in Version 3, the calculation of system 
unreliability from SUBRUN unreliability does not assure a conservative 
estimate of system unreliability. This problem is discussed in Section 
4.1. An improved heuristic for extracting SUBRUN fault trees from the 
system fault tree for Version 4 is described in Section 4.2. Also, an 
improved fault vector generator was developed which improves the run 
time for large problems. 

• MATHEMATICAL MODEL AND IMPLEMENTATION 

The mathematical model implemented in CARE III was verified for non- 
transient faults (CR- 166096). Under Task 4, it was also verified for 
transient faults. The code has been modified in Version 4 to implement 
the model correctly for transient faults. The implementation of the 
sparing rules has also been corrected. Additional code changes were 
also made to improve the computational efficiency. A discussion of 
these efforts is given in Section 5.0. 

• TEST STRESSING 

As part of the assessment of CARE III as a reliability tool, two real 
fault-tolerant flight control systems were examined. Although FTMP is 
a complex system with complications that are not easily represented, 
CARE III offers sufficient flexibility to permit a realistic 
reliability evaluation. Although SIFT is very simple in design, it is 
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not amenable to analysis with CARE III. This is because SIFT is 
composed of an active pentaplex with spares. CARE III is designed to 
handle only duplex monitoring and triplex voting for fault tolerance. 
Section 6.0 provides a description of the analyses performed. 
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2. THE MARKOV COVERAGE MODEL 


The Coverage models characterize the system handling of faults. The Single 
Fault Coverage model, SFCM, describes failures due to lack of fault detection 
in a single module. The Double Fault Coverage model, OFCM, describes 
failures due to coexisting faults on critical pairs of modules. Both models, 
presented in NASA CR-3566 and NASA CR- 166096, are defined as semi -Markov 
processes with exponential and/or uniform transition distributions. 

A special case arises when all transitions occur according to constant rates, 
i.e., exponential transition distributions. The coverage models then become 
homogeneous Markov processes. The structure of these processes allows for a 
larger choice of solution techniques than those proper for Semi-Markov 
models. 

The following section describes the general approach for solving a time- 
homogeneous Markov process. This framework is referred to in Sections 2.2 
and 2.3 in the solution of the Markov coverage models SFCM and OFCM. 

2.1 MARKOV PROCESSES 

A Markov process is the probabilistic model that describes the dynamics of a 
memory-less system, i.e., a system where the future behavior is independent 
of the past when the present state is known. 

In such processes, transitions between states occur at constant rates and the 
probabilistic behavior is given by a system of ordinary differential 
equations. 

In the Coverage models there are a finite number of states which will be 
numbered consecutively; state 1 is the initial state, i.e., state A in the 
SFCM and state BiA 2 in the DFCM. 

The coverage functions to be computed are some state probabilities and some 
intensities of entry into absorbing states. The problem reduces to finding 
the former since the latter are linear combinations of these. 

- INTENTIONALLY BLANK 
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A general algorithm used to evaluate the coverage functions is composed of 
two steps: 

1. Evaluate P(t), the vector of state probabilities for non-absorbing 
states. 

P(t) is obtained as the solution to the system of ordinary differential 
equations 

- P(t)-G l P(t), 
dt 


p,(0) = ( 1 if i is the initial state, 

{ 0 otherwise, 

where G t is the transpose of the matrix of transition rates between non- 
absorbing states. 

2. Evaluate p(t), the vector of intensities of entry into absorbing states. 
p(t) is obtained as a linear combination of P(t). 

P(t) = Go P(t) 

where Go is the transpose of the matrix of rates for transition from 
non-absorbing to absorbing states. 

In the next two sections this algorithm is adapted to the characteristics of 
the two coverage models and to the specific functions to be evaluated in each 
case. 
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2.2 MARKOVIAN SINGLE FAULT COVERAGE MODEL 

Under the assumption that all transitions occur at constant rates, the SFCM 
becomes a Markov process with states, transitions, and rates as shown in 
Figure 2.2-1. 

The functions required by the Macro Reliability Model as outputs from the 
SFCM are 

Pf( t ) : intensity of entry into failure state F, 

p D p(t) : intensity of entry in detected as permanent state DP, 

Pa( t ) : probability of benign state B, 

Pg(t) : probability of non-bemgn state B, and 

P L (t) : probability of latent state L, 

where 8 = aggregate of states A, A E and B E ; 

and L = B for transient faults, 

aggregate of states B and B otherwise. 

The desired functions are obtained as follows: 

(i) Compute the state probabilities for the states A, B, Ag and Bg 
(P,(t), i = l,2,3,4) by solving the four dimensional system of 
differential equations. 

- P(t) = G P(t), 
dt 


where G is given by 


‘ -(a-H5P A +p) 

S 

(I-Pa)ec 

0 

a 

-B 

0 

(I-Pb)ec 

P 

0 

-(e+a) 

B 

0 

0 

a 

-(e+B) 


7 




8 




(ii) Evaluate the required functions as linear combinations of the 
functions obtained in (i). The specific calculations for each 
function and each fault type are shown in Table 2.2-1. 

2.3 HARKOV I AN DOUBLE FAULT COVERAGE MODEL 
The Markovian DFCM is shown in Figure 2.3-1. 

The only function required as output from the DFCM is Pop{t): intensity of 
entry into the failure state DF. 

This function is evaluated as 

POF(t) - X 2 Pl(t) + X,P,,(t) 

where the vector P(t) = (P,(t), P>(t), P 3 (t)| is the solution to the system 

- P(t) = G P(t), 
dt 

with matrix G given by 

’-(Bi+Y 2 ) o 

o -(B 2 +Y 1 ) 

a 2 ai 

2.4 IMPLEMENTATION OF MODEL 

As shown in the previous section, the coverage model may be formulated as a 
system of ordinary differential equations (OOE's) for the Markov case. The 
single fault model is fourth order and the double fault model is third order. 
Solution of the Markov model as a system of ODE'S, rather than as a system of 
Volterra integral equations, has several advantages. Software for the 
numerical solution of ODE'S is available that provides high order, variable 
stepsize and numerically stable solutions. These features may be combined to 
develop a reliable solution procedure for the Markov case that is highly 

ORIGINAL PAGE IS 
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B 2 

B i 

-( 81 + 82 ) 



TABLE 2.2-1 OUTPUT FUNCTIONS FROM SFCM 



(*) These functions are not required. 
























accurate, yet efficient. In Task 3, BCS implemented the GEARB algorithm for 
ODE’s in Version 4; it has proven to be efficient (up to 200 times faster 
than the Version 3 code for solving the same Markov model) and numerically 

stable. 

Implementation of the OOE solution method for the Markov coverage model 
required the addition of eight new subroutines to the COVRGE module and 
inclusion of the GEARB numerical integration package (HSGEAR) . The Version 4 
code provides the user the option to use the Version 3 solution procedure or 
the Version 4 method for the Markov case. (Variable MARKOV in NAMELIST set 
FLTTYP may be set to 1 (default) to select the Version 4 method). Figures 
A. 1-2 to A. 1-4 illustrate the structure of the Version 3 and Version 4 code 
and show which modules were modified or added. 

For the single fault coverage model, subroutine MSNGFN computes the solution 
using HSGEAR. Subroutine MSNGFD is used by HSGEAR to evaluate the 
derivatives of the state probabilities. After the coverage model is solved, 
the moments of the output coverage functions are evaluated by MSNGMT using 
HSGEAR. Subroutine MSNGMD is used by HSGEAR to evaluate the integrand for 
the moment calculation. For the double fault coverage model, a procedure 
similar to the single fault case is used to compute the solution and moments 
of the output coverage functions using subroutines MOBLFN, MOBLFD, MDBLMT and 

MOBLMO . 
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3. SYSTEM FAULT TREE ANALYSIS 


In the CARE III program the system unreliability is computed by the equation: 


i — /?(/)= V <j( 4 £)+ v p*^' 

(cL tcZ 

where I is the set of fault vectors e for which the system has failed due to 
spares exhaustion as defined by the system fault tree. Fault vectors are 
generated in sets by subroutine GNFLTVC in the CARE 3 module. For each fault 
vector, logic in GNFLTVC determines whether Q(t|£) or P*(t|f) is computed and 
summed into the unreliability. For the case of no user supplied system fault 
tree, Q(t|f) is computed for any e for which no stage is failed by exhaustion; 
otherwise P*( tif) is computed. This logic is consistent with the assumption 
that the default system fault tree is an OR tree, i.e., the system fails if 
any stage fails by exhaustion. For the case of a user supplied system fault 
tree, Q(t|£) is computed only for those e selected by GNFLTVC; P*(t|f) is not 
computed for any {. In this case, the sum of P* is computed in CARE3 

directly from the minterm file for the system fault tree generated by FTREE. 

Several problems with the GNFLTVC fault vector selection and generation 
procedure for the sum of Q calculation where identified in Tasks I and 2: 

• Q(t|f) is not computed for all f e L, 

• Q(t|f) is computed for some 6 e I, 

• Inefficient i generation algorithm. 

Review of the GNFLTVC code and test runs indicated that Q(t|€) may not be 
computed for some e for which the value of Q(t|€) is a significant term in the 
sum of Q calculation. In addition the user had no control over the selection 
procedure. The algorithm for generating fault vectors in GNFLTVC generates 
all fault vectors, although Q(t|f) may be computed for only a small number of 
vectors. The fault vector selection procedure was corrected with the Task 3 

modifications and the generation algorithm was improved with the Task 4 
changes. 
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3.1 FAULf VECTOR PROCESSING 


In order to assure that all £ e L are processed and that the user may control 
which Q(t|e) are Ignored as insignificant, two capabilities are required. 


• ability to test whether or not a given t e L 

• ability to determine when Q(t|f) is small. 

The system minterm file generated by FTREE can be used to address the first 
requirement. Let the vector 


= {x(x) : x=l,2,. . ,NSTGES}, 


where t(x) = 0 or 1 be a system minterm; then a fault vector f e L if 
f(x)>n(x)-m(x) for all x for which x(x) « 1, i.e., I "covers" x, Thus e c L 
only if f does not cover any minterm in the system minterm file, 
implementation of this test requires that the system minterms be stored in 
core in a data structure designed to test efficiently whether a given 
vector covers any minterm. 


The second requirement can be addressed by choosing a different partition 
the fault vectors into sets for GNFLTVC. Let the sets L n be defined 

follows: 


of 

as 


.v 

L = {t ; 0^ (ix)^ nix), X £<*>= 0,1,2,. ^ MAX 


where 

N = number of stages in the system, 


S 


MAX 


^ n(x), 

x~ 1 
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The L n cover L in the sense that: 


;V 

MAX 

L= (J (LnU 

n= 0 

In addition the values of Q(t|f) are decreasing over the L n in the sense that 
the numbers: 


Q ^ = max{QU\t ') ! L)} 
are monotonical ly decreasing for n>2. 

Thus, if GNFLTVC is modified to generate fault vectors in the sets 
Ln» n=0,l, Nmax* it is possible to be sure that Q(t|f) is computed for all 
L e L. In addition it is possible to identify an n 0 for which Q(t|f) is less 
than a user specified tolerance for all f e Ln where nano- Furthermore, the 
fault vectors in L n may be generated by a simple algorithm that does not 
generate any vectors outside Ln. 

3.2 IMPLEMENTATION OF FAULT VECTOR PROCEDURE 

Version 3 of the CARE III program was modified to implement the fault vector 
selection procedure discussed in Section 3.2. The modified code. Version 4, 
provides the user the option to use the Version 3 selection procedure or the 
Version 4 selection procedure. (Variable IVSN in the NAMELIST set RNTIME may 
be set to 3 or 4 (default).) As illustrated in Figure A. 1-5, the 
unreliabiity for a SUBRUN is computed by subroutine RLSBRN in the CARE3 
module. If the Version 3 selection procedure is requested, RLSBRN calls 
NFLTVDP and GNFLTVC just as in the Version 3 code. If the Version 4 
selection procedure is requested, RLSBRN calls NFLTVDP, then RDSPS to . load 
the system minterm data into core, and finally GNFLTS to compute the SUBRUN 
unreliability. 
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Subroutine GNFLTS generates fault vectors in the sets Ln defined in Section 
3.1, calls subroutine PRFLTS to compute Q(t|f) or P*(t|f) for a fault vector 
and monitors the change in size of the sum of Q and sum of P* over Ln; see 
Figure A. 1-9. The improved fault vector generation algorithm is coded 
directly into subroutine GNFLTS. The processing of fault vectors is 
terminated after set L n if the change in the sum of Q for L n is small 
compared to the size of the sum of Q and the change in the sum of P* for L n 
is small compared to the size of the sum of P*. The logic for terminating 
the generation of fault vectors is applied for set L n only for n>2 and if 
the user defined parameter LC did not affect the calculation of Q(t|£) for any 
e e L n . (Parameter QPTRNC in NAMELIST set RNTIME is used to control the 
termination of fault vector processing.) 

Subroutine PRFLTS determines whether ( t L or 6 e L by calling subroutine 
CKSPS which checks to see if ( covers any system fault tree minterm. The 
minterm data was processed by RDSPS and stored in a data structure in arrays 
ITRM and JTRM designed for efficient checking to determine if a fault vector 
covers some minterm. If ( t L, PRFLTS calls UNRELQ to compute Q(t|f), and if 
e e I PRFLTS calls FPSTAR to compute P*(tl£). 


ORIGINAL PAGE IS 
OF POOR QUALITY 


16 


4. SUBRUN ANALYSIS 


In the CARE III program the system may be partitioned into SUBRUN's, which 
consist of subsystems that are independent in the sense that modules in 
different subsystems are not critically coupled as defined by the critical 
pairs trees. For the case of no user supplied system fault tree, the system 
unreliability is computed by the equation: 


1 _ RU)= V 


q«I£ s )+ p*'t\n , 

e e L e cL 

— s $ — s s 


where Ls is defined by the fault vector selection procedure implemented in 
subroutine GNFLTVC in the CARE3 module (see Section 3.). Ls may be 
interpreted as the set of fault vectors for SUBRUN-S for which no stage in 
SUBRUN-S is failed by exhaustion. This corresponds to the natural 
decomposition of the default system OR tree into an OR fault tree for each 
SUBRUN-S. 


For the case of a user supplied system fault tree, the system unreliability 
is computed by the equation: 


l _ RU)= V 

S 


V 




+ V />*(*)£) 


( cL ‘ IcL 

as 


where I is the set of fault vectors £ for which the system has failed due to 
spares exhaustion as defined by the system fault tree and L$ is defined by 
the fault vector selection procedure implemented in subroutine GNFLTVC in the 
CARE 3 module (see Section 3.). The sum of P* is computed in CARE3 directly 
from the minterm file for the system fault tree generated by FTREE. Due to 
the problems in the Version 3 fault vector selection procedure, it is not 
possible to give an interpretation of L$ for this case. Furthermore, the 
CARE III documentation does not specify any procedure for extracting a SUBRUN 
fault tree from the system fault tree. 
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4.1 SYSTEM FAULT TREE PROCESSING 


Suppose that the system fault tree is an OR with respect to the SUBRUN 
decomposition, i.e., the system fault tree is an OR over a set of subtrees, 
each of which has stages in only one SUBRUN (see Figure 4.1-1). The subtree 
corresponding to each SUBRUN may be used to define a fault tree for the 
SUBRUN, and then I s is the set of fault vectors for SUBRUN-S for which the 
SUBRUN has failed as defined by the SUBRUN fault tree. Thus the system fault 
tree has a natural decomposition corresponding to the decomposition into 
SUBRUN's and the CARE III estimate of the system unreliability is 
conservative. 

For the case of a system fault tree that is not an OR with respect to the 
SUBRUN decomposition, there is no natural decomposition of the system fault 
tree corresponding to the SUBRUN decomposition; therefore a heuristic 
procedure is required. One heuristic procedure is to extract from the set of 
minterms for the system fault tree the subset of minterms that include only 
stages within a SUBRUN. This subset of minterms defines a fault tree for the 
SUBRUN and L s may be defined. With this construction, the system fault tree 
is approximated by the OR of the derived SUBRUN fault trees. 

This heuristic has the advantage that for the cases: 

• a single SUBRUN and any system fault tree, or 

• multiple SUBRUN's with the system fault tree an OR with respect to the 
SUBRUN decomposition, 

the natural decomposition of the system fault tree corresponding to the 
SUBRUN's is obtained and the CARE III estimate of the system unreliability is 

conservative. It has the disadvantage that in the general case, the estimate 

\ 

of the system unreliability may be non-conservative since some failure events 
are ignored. 
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Figure 4.1-1 OR System Fault Tree 



Implementation of the heuristic for extracting SUBRUN fault trees from the 
system fault tree requires the capability of determining when a minterm 
includes only stages within a SUBRUN. Let the vector 

r = {t(x) : x=l,2,. ., NSTGES} 

(t(x) = 0 or 1) be a system minterm; then t includes only stages in SUBRUN-S 
only if 


cix)= 0. 

X t SUB RUN- S 

If t passes this test, then the minterm for the fault tree for SUBRUN-S is 
defined by: 


Is = (t(x) : xeSUBRUN-S}. 

4.2 IMPLEMENTATION OF SYSTEM FAULT TREE PROCESSING 

Version 3 of the CARE III program was modified to implement the heuristic for 
extracting SUBRUN fault trees from the system fault tree. The modified code. 
Version 4, uses the heuristic when the Version 4 fault vector selection 
procedure is used. For the cases: 

• a single SUBRUN and any system fault tree, or 

• multiple SUBRUN's with the system fault tree an OR with respect to the 
SUBRUN decomposition, 

the Version 4 code will provide a conservative estimate of the system 
unreliability. For a general system tree the estimate of system 
unreliability for multiple SUBRUN's may be non-conservative. When the 
Version 3 fault selection procedure is used, the Version 4 heuristic is not 
applied because the Version 3 fault selection procedure does use the SUBRUN 
fault tree. In this case, the concerns about fault vector selection, 
described in Section 3, apply to each SUBRUN calculation and the estimate of 
system unreliability may be non-conservative for any system fault tree. 
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The extraction procedure described in Section 4.1 is implemented in 
subroutine RDSPS, which is called by subroutine RLSBRN before the call to 
GNFLTS; see Figure A. 1-5. 
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5. RELIABILITY MODEL 


Complete verification of the CARE III model as applied to systems with no 
transient faults is given in NASA CR-166096. In that analysis it is assumed 
that within aggregate operational states all changes are due to fast coverage 
transitions. Intuitively it can be argued that the dynamics within aggregate 
states happen instantaneously and so the Macro model becomes a non- 
homogeneous Markov process. More precisely, state probabilities are 
expressed as renewal Integrals which under the above assumptions are 
approximated by the forward integral equations of a non-homogeneous Markov 
process. 

The justification of the macro model for systems susceptible to transient 
faults requires a finer analysis since the previously used arguments do not 
apply. 

In Section 5.1, the complications introduced by transient faults are 
discussed. An intermediate model is defined from which the CARE III model is 
justified. 

5.1 JUSTIFICATION OF THE MODEL 

Analysis of the coverage model shows that a module with a non-transient fault 
is very rapidly removed from the system (deleted from use or causes coverage 
failure). A transient fault may also become benign (enters B); the fault 
then poses no further threat and the module enters a fault free status where 
it becomes exposed to new faults. A module can experience consecutive 
transient faults until it either experiences a non-transient fault or a 
transient fault causes module isolation or system failure. 

At the macro level, the degradation o“' a system is defined by the vector 
i = (£(i), £(2),...,f(x),...) where £(x) measures the degradation in stage-x. 
The comparison of non-transient and transient faults suggests that behavioral 
differences be reflected in the definition of the vector f. In CARE III, 
f(x) is defined as the number of stage-x modules with a non-transient fault 
plus the number with a detected transient fault. 


PRECEDING i'AGE BLANK NOT f’iLitfED 
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With this definition of the vector f the assumption of fast dynamics within 
aggregate states is no longer valid. The Macro model is not yet justified. 
To illustrate this, two identical systems with three modules and one fault 
are analyzed. The Macro models corresponding to these systems are given in 
Figure 5.1-1 for a non-transient fault, and in Figure 5.1-2 for a transient 
fault. In these figures SFCM and DFCM represent fast transitions, whereas \ 
represents slow transitions. Transitions due to occurrence of a new fault, 
slow transitions, occur only across aggregate states In the non-transient 
case but can occur within aggregate states In the transient case, e.g., 
transition from fault-free state 0 to active state A, both in macro state 

G(0) . 


An intermediate model Is defined by introducing the vector y = (v(i), 

v (2),..., v(x) ,...), where v(x) is the number of stage-x modules with latent 
transient faults. The states in the intermediate model are defined as 
aggregates of Micro model states, as a function of the operational status of 
the system and the parameters f, v. Similar notation to that used for the 
Macro model is used, e.g., G (f, y) denotes an operational state and P(tif,y) 

its probability. 


Applying the structure of the intermediate model to the example, see Figure 
5.1-3, it can be observed that only fast transitions occur within operational 
states. The shortcoming of the Macro model when applied to systems with 
transient faults is thus avoided. 


5.2 MACRO MODEL RATE DERIVATION 

The analysis In the last example may be extended to general systems, and it 
follows that the intermediate model is approximately a non-homogeneous Markov 
process. The probabilities for failure states In the Macro model, Q(t|f), are 
obtained as sums of renewal integrals, corresponding to the contribution of 
each of the micro states. More concisely. 
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G(0) G(1) G(2) 



Figure 5.1-2 Macro Model - Transient Fault 





(5.2-1) 


<?«&) = 



Au|£)|i(u|£) + 


+ 


2 P{u\L- l(y))A <2, (u|£- l(y), 1)J du . 

y 


The first term In (5.2-1) corresponds to coverage failures due to latent 
faults or to the Interaction of a new transient fault with a latent fault. 
The second term corresponds to double fault coverage failures due to the 
Interaction of a new non-transient fault with a latent fault. 

A conservative estimate of Q(t|€) Is obtained by allowing a larger set of 
risks on the operational states that lead to the failure state F(f). This is 
attained by evaluating the probabilities and rates In (5.2-1) Ignoring prior 
coverage failures. This leads to multiple counting of coverage failures and 
hence to conservative estimates of the reliability. Nevertheless, tight 
bounds are expected since fault handling occurs at several orders of 
magnitude faster than fault occurrence. 

Under the above assumption, modules within a stage can Interchange roles 
within an operational state. Combinatorial techniques are then possible and 
are used to analyze the status of modules within each stage as given In 
Figure 5.2-1. 

The formula for P*(t|f), the conservative estimate for operational state 
probabilities, follows from simple combinatorial analyses and Is given as a 
product of binomial probabilities. The rates are derived using the principle 
of Inclusion and exclusion, following Rlordan (1958). 

The mathematical expressions of the functions used In the evaluation of 
coverage failure probabilities are: 
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( "faulty" modules | n-f "non-faulty" modules 


latent non-transient I v latent transient 



£-H deleted 


n-f-v fault-free 


Figure 5.2-1 Status of Modules Within Each Stage 
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5.3 IMPLEMENTATION OF MODEL 


In tasks 3 and 4, Version 3 of the CARE III program was modified to implement 
the reliability model as defined in the previous section. The modified code, 
CARE III, Version 4, correctly implements the CARE III sparing representation 
defined by the NOP data and the case of transient faults. Additional code 
changes were made to improve the computational efficiency of the CARE3 module 
and to reduce the use of I/O by the code. 

Implementation of the complete CARE III reliability model required 
modification of the input (CAREIN), coverage (COVRGE) and reliability (CARE3) 
modules of CARE III, Version 3. Figures A.l-I to A. 1-10 in Appendix A 
illustrate the structure of the Version 3 and Version 4 code and show which 
modules were modified or added. The overall structure of the CARE III 
program was not changed in the modifications. The crucial changes for the 
reliability model occur in subroutine CRTLPRS in module CAREIN, subroutine 
SNGFLT in module COVRGE and subroutines NFLTVOP, GNFLTVC and SUMMAT in module 
CARE3; these are discussed below. 

5.3.1 Calculation of the Critical Pairs Counts (CRTLPRS) 

In Version 3, the critical pairs minterm da.ta for a SUBRUN is processed and 
the b x>y function is computed in subroutine CRTLPRS in the CAREIN module. In 
Version 4, the calculation of the b Xi y function is deferred to the CARE3 
module and only the critical pairs minterm data for a SUBRUN is processed in 
CRTLPRS (see Figure A. 1-1). In Version 4, CRTLPRS is completely new and 
subroutines GNIQX, RDCPS and GNKXY are new code. The user's NOP data is 
processed by GNIQX and arrays IQXNOP and KQXNOP are established to give q(x) 
as a function of f(x)-p(x). The minterm data is read by RDCPS and critical 
pair counts are accumulated in array KNT by subroutine GNKXY. The KNT array 
contains the following data: 

KNT (i(x), y, q(y)) = number of x,y critical pairs that 

involve module i(x) in stage-x and 
some stage-y module given q(y) in- 
use stage-y modules. 
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The data stored in the IQXNOP, KQXNOP and KNT arrays Is sufficient for the 
calculation of the b x , y function performed in the CARE3 module. The critical 
pair counts N x>x (q(x)) and N x<y (q(x),q(y)) can be easily obtained from the KNT 
array. 


5.3.2 Calculation of the Counts N x , x and N x>y 

The evaluation of the b x , y function requires the calculation of the counts 
N x>x (q(x)) and N x>y (q(x) ,q(y) ) . Since these counts depend only on the critical 
pair counts (computed in the CAREIN module), subroutine NFLTVDP in the CARE3 
module was modified to call subroutine GNCPS to do the calculation (see 
Figure A. 1-6). For each possible pair of stages x,y, GNCPS checks to see if 
x,y are critically coupled by checking the KNT array; x,y are critically 
paired only if 


^ KNT(i(x)y, n(y))> 0. 

l(X)= l 


Array IJSTGIN is used to flag whether or not x,y are critically coupled. 

When stages x,y are critically paired, the counts N X(X (q(x)) and 
N «, y (q(x) ,q(y)) are computed using subroutines GNNXX and GNNXY and stored in 
arrays NXX and NXY: 


N (gU)) = 

X.X 


1_ 

2 


< f,x ) 

V 


Hx) = 


KNTii(x\x,qix )) 


.t) 

X x (q(x),qiy)) = ^ KNT{i(x) t y t q(y )) 

a x)= l 
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An improved version of the b x , y data structure and I/O scheme is used to store 
the NXX and NXY arrays. 

5.3.3 Calculation of bx,y Function 

As discussed in Section 5.2, the b x , y function depends only on and so it 

may be computed before the reliability model is solved. Subroutine NFLTVDP 
in module CARE3 was modified to call suoroutine GNBPS to do the calculation 
(see Figure A. 1-6). For each possible pair of stages x,y, GNBPS computes the 
b x , y function only if x,y are criticaly coupled as noted in the IJSTGIN array. 
When computation is indicated, the b x<y function is computed by subroutines 
GNBXX and GNBXY and stored in arrays BXX and BXY: 


BXXitlx)— p(x)) = 


XXX(qtx)) 
£<xH- n(x) 


BXY(((x)~ n(x), 6(y)~ |j( v)) = 


XXY(q(x). q(y)) 

(nit)— f(xH- p(.r )} I n(_y) — f(yH- H(y)> 


The values of f(x) and f(y) are defined by t which was selected by GNFLTVC in 
Version 3 and GNFLTS in Version 4; q(x) and q(y) are defined by f(x)-p(x) and 
f(y)-u(y) using the IQXNOP and KQXNOP arrays; and p(x) and p(y) are in the 
range, 0<u(x)sf(x), 0<p(y)<f(y). 

An improved version of the b x , y data structure and I/O scheme is used to store 
the BXX and BXY arrays. 

5.3.4 Calculation of Q(t|£) 

The calculation of Q(t|f) is computed by subroutines UNRELQ and FINTGRT in the 
CARE 3 module: 


r t 

I KU\S)di. 

J a 
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Subroutines UNRELQ and FINTGRT were not modified in Version 4. The function 
K(t|f) is computed by subroutine SUW1AT: 


K(t\e)= p*u\t)a'(t\e)+ P*U|£)A’U|0+ ^ / } *(4i-i<y)U' 2) M£) 

y 

where the first term represents single fault failures, the second term 
represents double fault failures with no new fault, and the third term 
represents double fault failures due to a new fault. In Version 3, these 
terms are computed in subroutines FAPC, FAC and FCYJ, respectively, and FAC 
and FAYJ make use of the symmetry in x,y of the b x<y function. 

The order of calculation used in FAC and FCYJ introduces several 
inefficiencies into the solution of the reliability model: excessive I/O due 
to multiple passes through the b x , y data, recalculation of terms which are 
independent of t (they are only functions of time) and excessive logical 
tests in the inner loops of the calculation. Subroutine GNBPS in module 
CARE 3 was modified to call subroutine GNTXX and GNTXY to evaluate all terms 
in the Kitif) calculation that depend only on time before the reliability 
model was solved see (Figure A. 1-8). Subroutine SUMMAT and the b x , y data 

structure and I/O scheme were completely modified to eliminate the excessive 
use of I/O and logical tests. (If the number of pairs of critically coupled 
stages in the user's model does not exceed 20, then all I/O operations 
involving the b xy data is avoided.) The Version 3 subroutines, FAC, FCYJ, 
FBCRTL and FDSCRTL are replaced in Version 4 by subroutines GNFXX, FB1XX, 
FB2XX, FB1XY and FB2XY (see Figure A. 1-10). 

As discussed in Section 5.1, the transient fault model introduces an extended 
interpretation of the fault vector {. In Version 4, the logic in subroutines 
GNFLTS and SUMMAT was extended to properly include this revised 
interpretation of fault vectors. 
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5.3.5 Method of Moments 


The calculation of K(tif) requires the evaluation of several convolution 
integrals: 


y(t) = 


t 

P 2 (r) P y (f- i) dv t 
o 


where P^t) is a measure of the rate at which a certain class of faults 
occurs and P 2 (x), one of the coverage output functions, is a function of the 
interval x between that occurrence and the entry of the fault into a 
particular coverage state. The numerical convolution procedure implemented 
in the CARE III module uses the method of moments. The calculation is based 
on two assumptions: P,(t) is a much more slowly varying function of time 
than P 2 (t); and P : (t) decays rapidly to zero. The first assumption is 
consistent with the CARE III assumption that coverage rates are much higher 
than module failure rates. However, the second assumption was not valid for 
the coverage output function P 0P . To correct this problem, subroutines 
SNGFLT and MSNGFN in the COVRGE module were modified to provide the intensity 
p DP as an output instead of P 0P . The CARE3 module was appropriately modified 
to compute h DPT from p DP instead of P D ^. The overall result of these changes 
is a more accurate evaluation of h DPT . 
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6. TEST STRESSING 


As part of the validation task of CARE III, the reliability of hypothetical 
systems was evaluated. The answers obtained compared favorably with analytic 
results. As part of the test stressing, two fault-tolerant systems were 
evaluated using CARE III; Section 6.1 describes the FTMP analysis, and 
Section 6.2 the SIFT problem. Although FTMP presented a complex architecture 
for representation, CARE III offered sufficient flexibility to approximate 
the system. SIFT, although significantly simpler than FTMP, illustrated that 
CARE III is limited to simplex, duplex, and triplex systems; pentaplex (3- 
out-of-5) voters cannot be represented well. 

6.1 FTMP 

The FTMP system (NASA CR-166071,72,73) consists of ten LRU's (line 
replaceable units) and connecting buses. Each LRU contains a processor, a 
clock generator, a power supply, a memory (slave region) and two bus guardian 
units (BGU) . For the reliability analysis, the BGU's may be lumped in with 
the processor; their failure rates should be added together. Similarly the 
memory includes the real time clock, system control register and the I/O 
port. There are four different types of buses: poll (P), receive (R), 
transmit (T) and clock (C). There are 5 of each type of bus. 

Fault-tolerance is incorporated by triplex voting with majority rule (except 
for clocks). No single-fault coverage failures should occur. The system is 
initially composed of three processor triads with one spare processor, two 
memory triads with four memories as spares, and one clock quadruplex with six 
spare clocks. The modules in a triplex (quad for clocks) are rotated. At 
any given time the processors in a triplex may be from any of the LRU's-- 
similarly for the memories and clocks. 

The P, R and T buses each form a trip ex with two spares. The C bus forms a 
quad with one spare. If no inter-LRU dependence existed, the minimum number 
of modules needed for each stage are: processor (5), memory (5), clock (3), 
P, R and T bus (2 each), C bus (3). 




' V.J& ' 
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The failure rates used in the analyses are: 


2.2 x 10-4/hr 

2.0 x 10-4/hr 

1.0 x 10-5/hr 

1.0 x 10-4/hr 

1.0 x 10-5/hr 

Dependence arises with FTMP in that if a processor within an LRU fails no 
other modules are affected. If a clock or power supply fails, all the 
modules within the LRU may function Improperly. When a clock or power supply 
are identified as faulty, the entire LRU is deleted from the system A 
faulty slave region may not affect the operation of the rest of the LRU- 
however, if identified as faulty, it will cause the entire LRU to be deleted’ 
Dependence affects the reliability of the system in two ways, in the 
computation of spares exhaustion failure and of coverage failure. 

When assessing spares exhaustion, dependence complicates the relationship 
between the number of failed modules and the number of operational modules 
remaining. For example. If two processors fail and then two memories fail 
(under perfect coverage), the number of operational processors left can be 
six, seven or eight. This depends on whether the failed processors and 
memories are from the same LRU (eight processors left), different LRU’s (six 
left), or one LRU with a processor and then a memory failure, one LRU with a 
processor failure and one LRU with a memory failure (seven left). 

CARE III does not allow for module interdependency. An added complication Is 
the functional numbering in CARE III, as opposed to physical numbering. 
Processor 1 denotes the processor that currently is performing function 1; 
this in FTMP would be functioning in the first triad. Processor 1 could be 
from any LRU. In particular, processor I and memory 1 will, most of the 
time, be from separate LRU's. A discussion of functional numbering is 
provided in Section 3.0 of the BCS Final Report. 

As our first-cut model for spares exhaustion, all the modules within an LRU 
are lumped together to form a single stage. The combined stage failure rate 


processor (plus 2 BGU's) 

memory 

clock 

power supply 
P, R, T and C bus 
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is the sum of the module failure rates. Perfect coverage is assumed. This 
model leads to a conservative eva uation (overestimate) of exhaustion 
failure. Figure 6.1-1 provides the control information for this FTMP model. 
The estimate obtained for the probability of system exhaustion failure is 
P*SUM = 1.45 x 10-11. 

The unreliability obtained satisfies our requirements (P significantly less 
than 10-9 for a 10 hour flight); no further analysis of exhaustion failure is 
required. If this conservative procedure did not provide satisfactory 
results, a more detailed model could be evaluated. One could let each module 
be a stage, and thus represent in detail what combinations of module failures 
cause exhaustion failure. The problem with such a representation is that the 
system fault tree becomes quite complex and there is an appreciable chance of 
user input error. This model still assumes perfect coverage since one cannot 
input system sparing rules and the success configuration information (NOP). 
For the FTMP analysis this more detailed modeling was not necessary. 

Initial information on FTMP was obtained from NASA CR-166071, CR-166072 and 
CR-166073. Additional information and assistance on FTMP was provided by Mr. 
C. Liciega from NASA-Langley . The failure rate values were based on those 
used in the Draper reliability analyses. The coverage parameters were based 
on the FTMP fault injection study, CR-166073, and a description of how the 
system operates. 

Exponential transition rates were used for the coverage analyses. The a(t) 
transition can be taken as exponential, since the transition of a faulty 
module from a latent state to an error generating state can be considered 
random in time. The detection rate, 6(t), is certainly based on how often 
self-tests are run. There are 37 self-test programs for the processor, clock 
generator and bus. A new program is run every 320 milliseconds. Once a 
module is detected as faulty and the error latches are set, another clocking 
cycle is required, 320 milliseconds, before the module can be deleted and 
replaced by a spare. Each test program does not detect solely a unique type 
of fault. Certain types of faults will be detected by many of the self- 
tests. A uniform distribution does not appear to describe this operation 
well. An exponential distribution was used, such that five percent of the 
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SFLTTYP DEL (1) = 1.0E6, 

RHO (1) = O.O, 

C (1) = 1.0, 

IOELF(l) = 1, 

IRHOF(l) = 1, 

IEPSF(l) = 1, 

CVPRNT = .TRUE.$ 

$STAGES NSTGES = 5, 

N ( 1 ) = 10, ( LRU 

M(l) = 5, » 

N(2) =5, j p Bus 

M(2) = 2, i 

N(3) =5, j R Bus 

M(3) = 2, i 

N(4) =5, it Bus 
M(4) = 2, 1 

N(5) =5, j c Bus 

M(5) = 3, » 

IRLPCD = 4$ 

SFLTCAT RLM ( 1,1) = 5.3E -4, - LRU Failure Rate 

RLM (1,2) = l.OE -5, 

RLM ( 1,3) = l.OE -5, 

RLM (1,4) = l.OE -5, 

RLM (1,5) = l.OE -5$ 

$RNTIME FT = 10.0, 

ITBASE = 1, 

SYSFLG = .TRUE., 

CPLFLG = . FALSE. $ 

FTMP RUN WITH LRU TREATED AS A STAGE 
15 6 6 
6 0 1 2 3 4 5 


Figure 6.1-1 Input File for Obtaining Bound on Exhaustion 
Failure with Dependence 
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haMlitv was to the right of 38 x .380 milliseconds. With this 
a . h tion "more of the action" happens early, which represents the 
C n the self-test programs. Furthermore, the five percent tail to the 
rghl of the thletica, maximum detection time should lead to a slightly 

conservative answer. 

The narameter for the exponential distribution is the inverse of the mean. 

• Table 7 CR-166073, a was taken as l/(mean time to detect error - 160 
mil" s s),' converted to hours. The detection time was adjusted by 160 
milliseconds since, on the average, there will be that much delay between 
when an error is propagated and when an error flag is set. 

The E (tl transition is from an active e-ror producing state, Ae, to either a 

rr ~ »ri: vrr 

idCTtificat'ion and for reconfiguration, as given in Table 7, CR-166073, plus 
160 milliseconds. The 160 millisecond adjustment allows for the 
initiation of error propagation and the setting 
uling 6 this mean time, converted to hours, provides the exponential parameter 

e for the coverage model. 

the triad are critically paired. 3ut consider 

■„ked LRU This causes faulty processor operation within the LRU. 

H SS ° the clock is critically coupled to the other two processors. 
v"nar t e power supply and memory are critically coupled with the 

o ; and elks,, in order to represent this dependence, one de nes 

an eguivalence Cass for each LRU. A 

falllt tw0 of the equivalence classes. The control me ru 
is one fault in two or ^ obtained by 

. riaiv . tree is qiven in Figure 6.1-3. me answer 

;;r:U;:itI^ -e some module pairs are incorrectly 
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Processor Triad (Pj, P fl p K ) 


LRUj 


LRU, 


LRU k 


Pi 

Mj 

Cj 

PSi 


p i 

Mj 

Cj 

p Sj 


p< 

m k 

Ck 

PSk 


Two Faulty 
Processors 


Processor 

Coverage 

Failure 


C, F aulty -*• Pj Faulty 
+ 

Pj or P« Faulty 


Processor 

Coverage 

Failure 


Cj Faulty -*■ Pj Faulty 
Mk or C< 

or P< Faulty 

PS< Faulty 


etc. 


Processor 

Coverage 

Failure 

(with no 

direct 

processor 

failures) 


Figure 6 . 1 -2 Dependence Effect on Coverage 
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{STAGES NSTGES = 8, 

N(l) = 10, ) Processor 

M( 1) = 5, ) 

N(2) = 10, i Memory 

M(2) = 5, i 

N(3) = 10, I Clock 

M(3) = 3, ( 

N ( 4 ) = 10, » Power Supply 

M(4) = 5, t 

N(5) =5, { p Bus 

M(5) = 3, » 

N(6) - 5, j R Bus 

M(6) = 2 , I 

N(7) =5, IT Bus 

M(7) = 2, I 

N(8) =5, j c Bus 

M(8) = 2, i 

NOP ( 1 , 1) = 9, 

N0P(2,1) = 6, 

N0P( 1 ,2) = 6, 

N0P( 1 ,3) = 9, 

N0P(2,3) = 6, 

NOP ( 1 ,4) = 9, 

N0P(2,4) = 6, 

N0P( 1 ,5) = 4, 

N0P( 1 ,6) = 3, 

NOP (1,7) = 3, 

N0P( 1 ,8) = 3, 

IRLPCD = 1$ 


Figure 6.1-3 Input File for Estimate of Coverage 
Failure, 1 Subrun 
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$FLTCAT JTYP (1,1) = 1, 
JTYP (1,2) = 2, 


JTYP (1,3) 
JTYP (1,4) 
JTYP (1,5) 
JTYP (1,6) 
JTYP (1,7) 
JTYP (1,8) 

(l.D 


3, 
5, 

4, 
4 , 
4, 
4, 


2.2E-4, 


RLM 

RLM (1,2) = 2.0E-4, 
RLM (1,3) = l.OE-5, 
RLM (1,4) = 1.0E-4, 
RLM (1,5) = l.OE-5, 
RLM (1,6) = l.OE-5, 
RLM (1,7) = l.OE-5, 
RLM (1,8)= 1.0E-5J 


$RNTIME FT = 10.0, 

ITBASE = 1, 

SYSFLG = .TRUE., 


CPLFLG = .TRUE.$ 


FTMP 

MODEL 

. IV 

1 

8 

9 9 




9 

0 

1 2 

3 

4 5 
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represented as being critically coupled (e.g., processor of LRU 1 and memory 
of LRU 2). This equivalence class representation, however, makes for an easy 
representation of the LRU dependence effect of processor and memory triads 
simultaneously. Using a single critical pair tree, the probability of a 
coverage failure obtained is Q SUM = 6.039 x 10-9. Note that the upper bound 
for exhaustion failure, 1.45 x 10-1 1, affects only the third significant 
digit. The problem was rerun using two critical pair trees (two subruns) 
with processors, memories and power supplies in the first subrun and buses in 
the second (Figure 6.1-4). This reduces the CPU run time and drastically 
reduces the amount of output. The answer obtained differed only at the 
seventh significant digit. In most of the detailed analyses, subruns were 
used, providing highly accurate results at a much lower cost.. The 
restrictions for the use of subruns are given in Section 4.0. 

6.2 SIFT 

SIFT operates as a one-stage system which consists of a pentaplex of modules, 
plus spares. Within the pentaplex, fault tolerance is based on three out of 
five voting. Coexisting faults on three of the modules within the pentaplex 
are necessary to cause coverage failure of the system. This means that 
critical triplets, as opposed to critical pairs, need to be considered when 
assessing the probability of coverage failure. 

CARE III has been suggested as an evaluation tool for such systems by 
disregarding failure probabilities unless enough faults are present. Q ( tut) , 
the probability of coverage failure when l faults have occurred, is evaluated 
only when lULC, where LC is an input parameter. For a pentaplex, LC is set 
equal to 3. 

If transient faults are possible, then literal triplets can occur even when 
Hs2, (l counts transients only when they cause the module to be isolated). 
The use of the LC parameter will lead in this case to very optimistic 
results. 

If only non-transient faults are possible, the use of LC=3 gives correct 
results only in the case of a pentaplex with no spares. If the system 
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Figure 6.1-4 Critical Pair Tree for Two Subruns 
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consists of one or more pentaplexes and spares, the reliability estimate 
given by CARE III is extremely conservative. 

Three events contribute to Q(t|3) in CARE III: 

(i) three latent faults in a pentaplex; 

(ii) three latent faults; two of these in a pentaplex; 

(iii) two latent faults in a pentaplex, one deleted module. 

Of the three cases, only the first corresponds to a true coverage failure in 
a pentaplex. The last two cases are included in the evaluation of Q(t|3) 
since CARE III is based on a critical pair type architecture. The first two 
events are of the same order, since both cases depend on three latent faults. 
For the highly reliable systems being considered, fault handling is several 
orders of magnitude faster than fault occurrence and the third event is 
correspondingly considerably greater than the first two; it will be the 
dominating term in the evaluation of Q(t|3). The corresponding coverage 
failure estimate will then be unacceptably conservative. 

As an example, consider a system consisting of one pentaplex and one spare. 
Modules are susceptible to a permanent fault which occurs at constant rate X 
and detection occurs at constant rate 6. If <S >> X then 

2 T -6Xt 

TRUE UNRELIABILITY - 5 |l-e 

. 2 f -6Xt -5Xt 

CARE III UNRELIABILITY - 4 A ) l-5e -6e 

In particular if X=5xl0- 4 ; 5=100 and t=l, the respective values are 3.7xl0-!3 
and 7.4xl0 _1 i. 
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APPENDIX A 


This appendix documents the modifications made to CARE III, Version 3, in 
Tasks 3 and 4; the modified program is referred to as CARE III, Version 4. 
The first section describes the changes in terms of the 'call trees of the 
principal modules of the program. The second section consists of the design 
sheets" prepared for all the modified or new subroutines in Version 4. 

A.l CALL TREE SPECIFICATIONS 

In this section an overview of the differences between the Version 3 and the 
Version 4 code is presented in terms of the "call trees" of the principal 
modules of the program. In Figures A. 1-1 to A. 1-10, the modified or new 
subroutines in Version 4 are indicated by boldface type. The figures show 
that the overall structure of the CARE III program was not changed in the 
Task 3 and 4 modifications. 

A. 2 DESIGN SPECIFICATIONS 

The design of each of the modified or new subroutines in the Version 4 code 
is summarized by a "design sheet" presented in this section. These design 
sheets were prepared as the first step in the coding of the Version 4 
changes. They are an overview of the subroutines; not all computational 
details are included. However, they do indicate the overall sequence of 

computations and the data needed for and generated by each step in the 
subroutine. The design sheets are presented in the following order; 

• CAREIN; 

Figures A. 2-1 to A. 2-5 

• COVRGE: Markov model; 

Figures A. 2-6 to A. 2-13 

• CARE3: Main control and computation subroutines; 

Figures A. 2-14 to A. 2-21 * 


PRECEDING PAGE BLANK NOT FILMED 


53 


BUM 



• CARE3: Calculation of NXX and NXY data; 

Figures A . 2-22 to A. 2-24 

• CARE 3: Calculation of BXX and BXY data; 

Figures A. 2-25 to A. 2-29 

• CARE 3: Calculation of K(tif); 

Figures A. 2-30 to A. 2-35 
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VERSION-3 


VERSION-4 


CAREIN 

— BUFBLK 
— FTREE 
— CRTLPRS 


— SUBRUN 

l— SPLIT 
_ SPLIT 
_ VLDNML 


CAREIN 

— BUFBLK 
— FTREE 
— CRTLPRS 

— GNIQX 
I — RDCPS 

l — GNKXY 

— SUBRUN 

I— SPLIT 
— SPLIT 
— VLDNML 


Figure A.1-1 CAREIN Call Tree 


[Note: Boldface on this and following figures indicates routines that 

have been added or modified ] 


55 



VERSION-3 


VERSION-4 


COVRGE 

— BUFBLK 
SNGFLT 

DBLFLT 

PRNTCVG 


COVRGE 

— BUFBLK 
_ SNGFLT 
_ MSNGFN 
— MSNGMT 
— DBLFLT 
— MDBLFN 
— MDBLMT 
PRNTCVG 


Figure A. 1-2 COVRGE Call Tree 
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VERSION-3 


VERSION-4 


COVRGE 
L SNGFLT 

COMPFUN 
— FGSNGL 
— SFG12 
SUMARS 
VSTPINT 
PREVNRC 
L VLTREC 

L CNVLINT 
VOLTERA 
l_ CNVLINT 
CVITAR 
I— VOLTERA 

1— CNVLINT 
GENMNTS 
TMAXSNG 
BUFBLK 


COVRGE 
— MSNGFN 
L HSGEAR 

L MSNGFD 
— MSNGMT 
l— HSGEAR 

I— MSNGMD 



Figure A. 1-3 Single Fault Call Tree 
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VERSION-3 


VERSION-4 


COVRGE 
L_ DBLFLT 

COMPFUN 

— FCDBL 

FDDBL 

— FFDBL 

SUMARS 

_ PREVNRC 
L_ VLTREC 

l_ CNVUNT 

VOLTERA 

l_ CNVLINT 

GENMNTS 

TMAXDBL 

BUFBLK 


COVRGE 

_ MDBLFN 

L HSGEAR 

L_ MDBLFD 

MDBLMT 

L HSGEAR 

L MDBLMD 


Figure A. 1-4 Double Fault Call Tree 
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VERSION-3 

CARE3 

— RLSBRN 

NFLTVDP 

— GNFLTVC 

— FNCK 
— BUFBLK 


VERSION-4 

CARE3 

— RLSBRN 

— NFLTVDP 
— GNFLTVC 

— RDSPS 
L GNFLTS 

— FNCK 
_ BUFBLK 


Figure A. 1-5 CARE3 Call Tree 
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VERSION-3 


VERSION-4 


NFLTVDP 

CAXLAT 
L FHSFST 
CRXFF 
L FRXIFF 

— FCLAM 
— FHSFST 
L_ PREEXP 

_ FGST 
— FHSFST 
— FHDFST 
— FNCK 
— PRNTGH 
— BUFBLK 
— BUFFOUT 


NFLTVDP 

GNCPS 

— GNNXX 
— GNNXY 
L 8UFDAT 

GN8PS 

— GNBXX 
— GN8XY 
— GNTXX 
— GNTXY 
L_ BUFDAT 
— FNCK 
— BUFBLK 


Figure A. 1-6 NFLTVDP Call Tree 
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GNCPS 


_ GNNXX 
— GNNXY 
— BUFDAT 


Figure A. 1-7 GNCPS Call Tree 
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GNBPS 



GNBXX 

GNBXY 


GNTXX 



FCLAM 

FHSFST 

FHDFST 

FLAM 

FRXIFF 

PREEXP 


GNTXY 
L FHDFST 


8UFDAT 


Figure A. 1-8 GNBPS Call Tree 
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VERSION-3 FAULT VECTOR 
SELECTION PROCEDURE 

GNFLTVC 

- FPSTAR 

- ARZERO 


- GNBXY 
L UNRELQ 

- FINTGRT 

L SUMMAT 


VERSION-4 FAULT VECTOR 
SELECTION PROCEDURE 

RDSPS 

GNFLTS 

~ FPSTAR 
L PRFLTS 

~ FPSTAR 

“ CKSPS 

~ GNBXY 
L UNRELQ 

-FINTGRT 
*— SUMMAT 


Figure A. 1-9 GNFLTVC Call Tree 
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VERSION-3 


VERSION-4 


SUMMAT 

-BUFFIN 

-FAPC 

- FLAM 

- FPSTAR 

“FAC 


L 


FBCRTL 

~ BXYC 
L FPMUX 


[ FCYi 

L 


FDSCRTL 
- BXYC 
L FPMUX 


FPSTREC 


SUMMAT 
~ GNFXX 

“FPMUX 
L FPSTAR 
~ FB1XX 
~ FB2XX 

- FB1XY 
~ FB2XY 

- FPSTAR 
*- BUFDAT 


Figure A. 1-10 SUMMAT Call Tree 
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CAREIN 


Read & check User's Input Data 

Process System Fault Tree ■* FTREE 

► Loop over Critical Pairs Fault Trees 

Process Critical Pairs Fault Tree + FTREE 

► 

Process MINTERM data * CRTLPRS 

Buffer out COVERAGE data (REC, CREC2, CREC3, CREC4) 

Buffer out RELIABILITY data (REC, RREC2) 

Generate SUBRUN data * SUBRUN & SPLIT 

► Loop over SUBRUN's 

Buffer out SUBRUN data (RREC3, RREC4) 

► 


Figure A. 2-1 CAREIN Design Sheet 
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CRTLPRS 


Position I/O Units 

Loop over MINTERM subfiles 

Read PRBMT, MNTRMV 
Read NUNT 

Process: ICSTG, KFSTG, LSTSTG, IISTG, IUSTG 

Process NOP data 4 GNIQX 

Read MINTERM data 4 RDCPS (EOFFLG) 

Write KNT data 

► 


Figure A. 2-2 CRTLPRS Design Sheet 
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GNIQX 


Loop over stages (x) in SUBRUN 


Initialize IQXNOP and KQXNOP arrays for stage 


IF default NOP data, THEN 


Loop over k qx ( = 1 , 1 0) until q K = m x 


IQXNOP (k qx , x) = q(k q) ,,x) = n x -k qx + 1 


ELSE user defined NOP data 


Loop over k qx ( = 1,5) until NOP(k qx ,x) = 0 


kqm — kqx 


IQXNOP (k qx ,x) = q(k qx ,x) = NOP (k qx ,x) 


IQXNOP (k. ]r n,x) — q(k qm ,x) - m x 


ENOIF 


Loop over ^ x -p x ( = 0,9) 


Compute q x defined by n x -tf x +p x . 


KQXNOP (f x -p x , X) = k qx 


Figure A. 2-3 GNIQX Design Sheet 
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RDCPS (EOFFLG) 


Initialize KNT array 

I Loop over M INTERMS 

Read MINTERM 
Compute: x, m* j x , y, m y , j y 

For x < y compute KNT (j x , y, k qy ) « GNKXY (x, j x , m x , y,j y< m y ) 

For x > y compute KNT (j y , x, k qx ) ^ GNKXY (y, j y , m y , x, j x , m x ) 

► 

IF end of MINTERM file, THEN 
EOFFLG = T 

T 

ELSE 


Figure A. 2-4 RDCPS Design Sheet 
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GNKXY (x,j Xf m^y.jy, m y ) 


IF x = y, THEN 

P Loop over q x (k qx = 1,10) until q x <m x or q x <m y 

Sum: KNT(j x ,x,k qx ) = KNT (j Xr x, k qx ) + 1 

I ► 

▼ 

ELSE x*y 

p, Loop over q y (k qy = 1,10) until q y <m y 

Sum: KNT (j x , y, k qy ) = KNT (j*, y, k qy ) + 1 

I ► 

▼ 

ENDIF 


Figure A. 2-5 GNKXY Design Sheet 
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MSNGFN 


Obtain parameters for fault type 
Initialize states and coefficient matrix 
Initialize output coverage functions 
I — p. Loop over time steps (t = IT) 

Integrate system state one time step 
Compute output coverage functions 
Check for steady state 


Figure A. 2-6 MSNGFN Design Sheet 


MSNGFD 

Compute time derivatives of states 


Figure A. 2-7 MSNGFD Design Sheet 


HSGEAR, MSNGFD 
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MSNGMT 


Initialize moments for t = 0 (IT = 1) 

I p. Loop over time steps (IT = 2, ITSTPS) 

Integrate weighted output coverage 
functions one reliability time step 

Store moments 

— ► 


Figure A. 2-8 MSNGMT Design Sheet 


MSNGMD (t) 

Locate t in time array for output coverage functions 
Compute weighted output coverage functions 


Figure A. 2-9 MSNGMD Design Sheet 


HSGEAR. MSNGMD 
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MDBLFN 


Obtain parameters for fault type 
Initialize states and coefficient matrix 
Initialize output coverage functions 

p. Loop over time steps (t = IT) 

Integrate system state one time step re- 

compute output coverage functions 
Check for steady state 

— ► 


Figure A. 2-10 MDBLFN Design Sheet 


MDBLFD 

Compute time derivatives of states 


Figure A. 2-11 MDBLFD Design Sheet 


HSGEAR, MDBLFD 


72 


MDBLMT 


Initialize moments for t = 0 (IT = 1) 

I p- Loop over time steps (IT = 2, ITSTPS) 

integrate weighted output coverage ^ HSGEAR, MDBLMD 

functions one reliability time step 

Store moments 


Figure A. 2-12 MDBLMT Design Sheet 


MDBLMD (t) 

Locate t in time array for output coverage functions 
Compute weighted output coverage functions 


Figure A. 2-1 3 MDBLMD Design Sheet 




CARE3 


Buffer in CVRGAR array 
Buffer in TITLE array 
8uffer in REC1 
Buffer in REC2 

Compute KWT from system MINTERM file 

p. Loop over SUBRUNS 

Buffer in REC3 
Buffer in REC4 
Display 

Compute Unreliability per Subrun 4 RLSBRN 

Compute SRNPSTF if a system fault tree 

► 

Compute P* if a system fault tree 
Write SUMMARY 


Figure A. 2-14 CARE3 Design Sheet 
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RLSBRN 


Convert failure rates to correct tine base 
Create TRNSFC array 

Compute non-| dependent functions 4 NFLTVDP 

IF Version 3 fault generation procedure, THEN 

Generate fault vectors 4 GNFLTVC 

▼ 

ELSE Version 4 fault generation procedure 

Extract SUBRUN fault tree 4 RDSPS 

Generate fault vectors 4 GNFLTS 

▼ 

ENDIF 


Figure A. 2-1 5 RLSBRN Design Sheet 
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NFLTVDP 


Compute GFLD 

Buffer in KNT data 

IF Critical Pairs for SUBRUN, THEN 

Process SUBRUN for which Critical Pairs are defined 

▼ 

ELSE 

Process SUBRUN for which no Critical Pairs are defined 

T 

ENDIF 

Generate NXX and NXY data 4 GNCPS 

Generate BXX and BXY data 4 GNBPS 


Figure A. 2-16 NFLTVDP Design Sheet 
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ROSPS 


Position I/O units 

► Loop over all MINTERMS for system fault tree 

Read next minterm, x 

Extract the MINTERM Xj for current SUBRUN 

IF Xj does not cover a previous MINTERM, THEN 

Enter Xj in fault tree data structure 

T 

ENDIF 

► 


Note: The logic in RDSPS and the order of MINTERM's stored on the 

system minterm file assures that only a MINCUT set of mmterms is 
stored for the SUBRUN fault tree. 


Figure A. 2- 17 RDSPS Design Sheet 
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GNFLTS 


— Loop over fault vector sets L n (n = 1, 9) 

p. Loop over t c Ln 

Compute P*(t|£) 

IF P* (t| £) > PSTRNC, THEN 

Process t + PRFLTS 

▼ 

ENDIF 

► 

IF n >2 and LC did not affect calculation, THEN 
Monitor relative change in Q$um and P*sum 
IF 'small", end processing 

T 

ENDIF 


Figure A. 2-18 GNFLTS Design Sheet 
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PRFLTS 


IF 2 * 0, check if 2 causes systems failure 


« — CKSPS (If) 


r Case: tf= 0 


Initialize display formats 

Compute Q(t|0) -4 UNRELQ 

Display 

- Case: 2 * 0. 2 does not cause system failure 

Compute Q(t| 2 ) + UNRELQ 

Display 


-Case: 2 * 0 , 2 causes system failures 

Compute P*(t,i) 

Display 


•4 FPSTAR 


Figure A.2-19 PRFLTS Design Sheet 
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CKSPS (S) 


IFAIL = 0 
IF 1*0, THEN 
IFAIL = 1 
IF SUBRUN fault 


I 


tree, THEN 


IF t does not cover any minterm, THEN 
IFAIL = 0 

▼ 

ENDIF 

T 

ENOIF 

T 

ENDIF 


Note: If there is no user supplied system fault tree or if the 
extracted set of MINTERMS for a SUBRUN is empty, the 
SUBRUN fault tree is assumed to be an OR tree. 


Figure A. 2-20 CKSPS Design Sheet 
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UNRELQ 


— ► Loop over t ( = IT) 

Compute K(t|f) ♦ SUMMAT 

Compute Q(t||) * FINTGRT 


Figure A. 2-21 UNRELQ Design Sheet 
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GNCPS 


Position I/O units 
^ Loop over x 


IF x.xisc.p., THEN 
Compute N xx 
Write NXX data 

ENDIF 


4 GNNXX (x) 


IF NSTGS >1, THEN 


> Loop over y 


t 

ENDIF 


^ Loop over x<y 

IF x.yarec.p., THEN 
Compute N xy 
Write NXY data 

▼ 

ENDIF 

► 




4 GNNXY (x,y) 


Figure A. 2-22 GNCPS Design Sheet 
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GNNXX (x) 


>. Loop over q x (k qx = 1,10) 
Compute N xx (q x ) 

-► 


Figure A. 2-23 GNNXX Design Sheet 
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GNNXY (x,y) 


[assume x<y] 


> Loop over q y (k qy = 1, 10) 

Loop over q x (k qx = 1, 10) 

Compute N xy (q x ,q y ) 

► 


Figure A. 2-24 GNNXY Design Sheet 
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GNBPS 


Position I/O Units 

► Loop over x 

Compute functions of time < GNTXX (x) 

IF x.xisc p , THEN 
Read NXX data 

IF non-zero BXX data. THEN (n x > 2) 

| Compute B xx < GNBXX (x) 

y ENOIF 
ENDIF 

Write BXX data 

► 

IF NSTGS >1, THEN 
I ► Loop over y 

I ► Loop over x<y 

IF x.yisc p, THEN 
Read NXY data 

IF non-zero BXY data THEN (n„> 1 and n y > 1) 

Compute 8 xy ^ GNBXY (x.y) 

Compute functions of time * GNTXY (x.y) 

| Write BXY data 

f ENDIF 

ENOIF 

' ► 

ir 1 ► 

ENDIF 


Figure A. 2-25 GNBPS Design Sheet 
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GNBXX (x) 


_► Loop over y x ( = 
Compute B xx (p x ) 


0 , * x ) 


Figure A. 2-26 GNBXX Design Sheet 
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GNB1XY (x,y) 


(Assume x<y) 


> Loop over p y ( = 0, l v ) 

p. Loop over p, ( = 0 f K ) 

Compute B* y (p x ,p y ) 


> 


Figure A. 2-27 GNBXY Design Sheet 
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GNTXX (x,y) 


Loop over all time steps (t = IT) 

-► Loop over all fault categories, * (i = 1,5) 
Compute r(tjxi) 


Compute r (t|x) 



Loop over all time steps (t = IT) 

I — p. Loop over all fault categories, x, (i = 1,5) 
Compute X(tfx,) r Z A P , Z \ T 
Compute H l (tfx.), Z H^,, Z H Lr 
Compute he (tfx,), Z hp,,, Z h Fr 
Compute H B ( t| x, ) , Z H 8p , Z H 9t 
C ompute (1-Z H Lt ) ZA p , (1-ZH Lt ) Z\ r 
Compute H 0 (t, x,) 


Loop over all time steps (t = IT) 

— ► Loop over all fault categories, x, (i = 1,S) 
Compute ho F (tjx,), Z ho Fp , Z 1*^ 


Figure A. 2-28 GNTXX Design Sheet 


88 



GNTXY (x,y) 


■> Loop over all time steps (t = IT) 

Case: x,y 

-► Loop over all fat It categories, Xj (i = 1,5) 

— ► Loop over all fault categories, y, (j = 1 ,5) 
Compute hopftly,, x,), Z hoPp, Z h 0 p T 


Case: y,x 

-► Loop over ail fault categories, yj (j = 1,5) 

— ► Loop over all fault categories, x, (i = 1,5) 
Compute hop (tlx, y ( ), EhoPp, £ h 0 p T 


Figure A. 2-29 GN T XY Design Sheet 
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SUMMAT (t|f) 

Position I/O units. Process IS, Initialize 
! — ^ Loop over x 
Read BXX data 
Add \0) terms to SUMA 

► 


-► Loop over x 

Generate x functions 4 — GNFXX (t,x) 

Read BXX data 
IF x.xisc.p.. THEN 

I IF non-zero BXX data, THEN (n x > 2 and tf x >#c x ) 


Add \« > term to SUMA 

4 — FB2XX (x) 

Add \i term to SUMA 

4 — FBI XX (x) 

Add \< 2 > term to SUMC 

4 — FB2XX (x) 


t 

ENOIF 

▼ 

ENDIF 

> 


Figure A. 2-30 SUMMAT Design Sheet 
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IF NSTGS > 1, THEN 


! Loop over y 

». Loop over x<y 

IF x.yisc.p., THEN 
Read BXY data 

IF non-zero 8XY data, THEN (n x > 1 and n v > 1 and S„>lc 
Add 
Add 
Add 

T 

ENDIF 

T 

ENOIF 

' ► 

' ► 

▼ 

ENOIF 

Compute P* (t|^), a'(t|f) 

Compute K(t|tf), store in SUMK(IS) 




X term to SUMA 
U term to SUMA 
X-’) term to S JMC 


FB2XY (x,y) 
FB1XY (x,y) 
FB2XY (x,y) 


Figure A. 2-30 SUMMAT Design Sheet (Continued) 


and tf y >tfcy) 
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GNFXX (t, x) 


IF f x > 1, THEN 
Compute f-1(x) 

Compute P* (t||-l (x)) 

Compute n x -tf x + ' 

Compute PS LX (x) = (n x -f x + 1). P* (t|£-i (x)) 

! + Loop over i = 1 ,2 

Compute \! x = t x - i + I 

p. Loop over u x = 0, itf x 

Compute i i = if x + 1 

Compute FPMX (x, p x ,if) = P(t,u x |itf„) 

I ► 

I ► 

▼ 

ELSE 

Compute FPMX (x. 1,1) = P(t,0|0) 

▼ 

ENDIF 


Figure A. 2-31 GNFXX Design Sheet 


92 



FBI XX (x) 


— Case: P,x,x 
SUMX = 0. 

! p. Loop over u x ( = 0 ,f x ) 

SUMX = SUMX + B xx (VMxJ * P(t.Uxl^x> * Ux* 'Wx-0 

► 

FB1XX = SUMX 

— Case: T,x,x 
SUMX = 0 

! p Loop over u x ( = 0,tf x ) 

SUMX = SUMX + B xx (j? x -h x i * P(t.p x y x ) ‘ u- 



FB1XX = (n x -fj * SUMX 


Figure A. 2-32 FBI XX Design Sheet 
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FBI XY (x.y) 


— Case: P,x,y 
SUMY = 0. 

p Loop over u y ( = 0 ,f y ) 

SUMX = 0 

p Loop over p x ( = 0 ,f x ) 

SUMX = SUMX + B xy (f<-|J x , f y -p y ) * P(t,u„jf x ) * 

SUMY = SUMY + SUMX * P(t,U y |f y ) * p y 

► 

FB1XY = SUMY 

— Case: P,y,x 
SUMX = 0. 

I p Loop over p x ( = 0,f x ) 

SUMY = 0 

, p Loop over u y ( = 0,f y ) 

SUMY = SUMY + B xy (f y -U y , f x -M x ) * Pft.Uylfy) * p y 

' ► 

SUMX = SUMX + SUMY * P(t.My|^ y ) * Uy 

► 

FB1XY = SUMX 


Figure A. 2-33 FB1XY Design Sheet 
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_ Case: T,x,y 
SUMY = 0. 

! p- Loop over p y ( = 0,f y ) 

SUMX = 0. 

p Loop over p x ( = 0 ,f x ) 

SUMX = SUMX + B xy tf y -p y ) * P(t,U xl ^ x ) 

I ► 

SUMY = SUMY + SUMX * P(t,Uyjf y ) * p y 


FB1XY = (n x -f x ) * SUMY 
_ Case: P,y,x 
SUMX = 0 

, p Loop over u„ ( = OJJ 

SUMY = 0 

! p. Loop over p y ( = 0 ,2 y ) 

SUMY = SUMY + B xy (j? y -p y , f x -Mx) * P(t.Uylfy> 

I ► 

SUMX = SUMX ♦ SUMY * PtM^) * p y 


FB1XY = (n y -f y ) * SUMX 


Figure A. 2-33 FB1XY Design Sheet (Continued) 
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FB2XX (x) 


— Case: P,x,x 
Increment tf x 
SUMX = 0. 

I Loop over y x ( = 0 , 9 *) 

SUMX = SUMX ♦ B xx (tf x -u x l * P(t.u x j# J< ) * y„ 

► 

FB2XX = SUMX 

— Case: T,x,x 
Increment 
SUMX = 0. 

. »- Loop over u« ( = 0 ,tf„) 

SUMX = SUMX ♦ B xx (tf x -p x i * P(t.u<,J? x ) 

► 

FB2XX = (n x -f x ) * SUMX 


Figure A. 2-34 FB2XX Design Sheet 
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FB2XY (x,y) 


— Case: P,x,y 
Increment f y 
SUMY = 0. 

Loop over p y ( = 0 ,f y ) 

SUMX = 0. 

>. Loop over y x ( = 0,# x ) 

SUMX = SUMX *- B xy (f x -y x . tf y -*V * 

I ► 

SUMY = SUMY + SUMX * P(t,y y j tf y ) 

► 

FB1XY = SUMY 

— Case: P,y,x 
Increment 
SUMX = 0 

». Loop over y„ ( = 0,f x ) 

SUMY = 0. 

». Loop over y y ( = 0 ,tf y ) 

SUMY = SUMY * B xy (f y -y y , Mk) * P(t,y y i^ y ) * y y 

I ► 

SUMX = SUMX + SUMY * P(t,Py|f y ) 

► 

FB1XY = SUMX 


Figure A. 2-35 FB2XV Design Sheet 
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Increment l y 
SUMY = 0. 

I p Loop over u y ( = 0 ,S y ) 

SUMX = 0 

I — *- Loop over Ux ( = 0 ,i x ) 

SUMX = SUMX ♦ B„y (S x -\i x , i r u y ) * Pd.ujf*) 

I ► 

SUMY = SUMY + SUMX * P(t,Uy|# y ) 

■ ► 

FB1XY = (n x -t x ) * SUMY 

Case: P,y,x 

Increment t x 
SUMX = 0. 

! p Loop over u„ ( = O.tf.) 

SUMY = 0. 

I p Loop over u y ( = 0,f y ) 

SUMY = SUMY ♦ B xy (f y -Uy. 1,-U*) * P(t. My|i y ) 

' ► 

SUMX = SUMX ♦ SUMY * P(t.Uy|f y ) 

FB1XY = (n y -f y ) *SUMX 


Figure A. 2-35 FB2XY Design Sheet (Continued) 
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